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(57) ABSTRACT 

A method and apparatus for policy-based management of 
quality of service treatments of network data traflSc flows by 
integrating policies with application programs are described. 
In one embodiment, a quahty of service value is selectively 
associated with a flow of information generated by an 
application program and directed to a network device. 
Mappings representing an abstract policy and associating a 
pre -determined network quality of service with a traffic flow 
type of the flow of information and with an application 
program are created and stored in a repository that is 
accessible by the apphcation program. The mappings are 
converted into one or more settings of the network device. 
The policy is enforced at the network device in response to 
receiving traffic from the application program that matches 
the traffic flow type. The settings may be Differentiated 
Services Code Points or may be RSVP+ messages. Policies 
may be represented by statements stored in a directory 
schema. Each policy statement is represented by nodes that 
represent a condition of one of the traffic flows, an operator, 
an operand, and an action comprising one of the quality of 
service treatments. The nodes start at a root node having a 
distinguished name in the directory. 
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METHOD AND APPARATUS FOR POLICY- lies to exchange infonnalion. For example, a bridge may be 

BASED MANAGEMENT OF QUALITY OF used to provide a "bridging** function between two or more 

SERVICE TREATMENTS OF NETWORK LANs. Alternatively, a switch may be utilized to provide a 

DATA TRAFFIC FLOWS BY INTEGRATING "switching" function for transferring information, such as 

POLICIES WITH APPLICATION PROGRAMS 5 data frames or packets, among entities of a computer net- 
work. Typically, the switch is a computer having a plurality 

RELATED APPLICAnONS of ports that couple the switch to several LANs and to other 

This apphcation is related to prior, co-pending applica- switches. The switching function includes receiving data 

tions Sen No. 09/179,036, filed Oct. 26, 1998, entitled frames at a source port and transferring them to at least one 

"Method and apparatus for defining and implementing high- destination port for receipt by another entity. Switches may 

level quality of service policies in computer networks," now operate at various levels of the communication stack. For 

U.S. Pat. No, 6,167,445 and Ser. No. 09/206,067, filed Dec. example, a switch may operate at Layer 2 which, m the OSI 

4, 1998, entitled "Method and apparatus for identifying Reference Model, is called the data Unk layer, and includes 

network data traffic flows and for applying quality of service f ^ ^of ^^^^ Link Control (LLC) and Media Access Control 

treatments to the flows." now U.S. Pat. No. 6,286,052. (MAC) sub-layers. 

Other intermediate devices, commonly known as routers, 

FIELD OF THE INVENTION may operate at higher communication layers, such as Layer 

The present invention relates generally to computer ^ which in TCPAP networks corresponds to the Internet 

networks, and more specifically, to a method and apparatus l'^'?^""^ ^^V^y^^* ^ ^^'^ Pf^*^^ ^°^^f,^ corresponding 

for policy^ased management of quality of service treat- Reader which contains ao IP source address and an IP 

ments of network data traffic flows by imegrating policies destmatioa address. Routers or Layer 3 switches may 



with application programs. 



re -assemble or convert received data frames from one LAN 

standard (e.g., Ethernet) to another (e.g.. Token Ring). Thus, 

BACKGROUND OF THE INVENTION Layer 3 devices are often used to interconnect dissimilar 

. 1 1. i. subnetworks. Some Layer 3 intermediate network devices 

A cxjmputer network typicaUy comprises a plurahty of ^ ^^^^^^ ^ ^ j ^^^^ ^^^^^ 

mterconnected entibes that transmit ( source ) or receive .^^^^^^ corresponding TCP or UDP port 

I Sink J data frames. A common type oi computer network l u • .-i* j u .u ^ i *• 

> , ^, , ^^„,. . numbers being utilized by the correspondme network enti- 

is a local area network ( LAN ) that generdly comprises a ^ appUcations are assigned specific, fixed TCP 

privately owned network withm a smgle budding or can^^^^^ 30 ^^^^^^ ^j^P port numbers in accordance with Request For 

LANs employ a data communication proto^l (LAN Comments (RFC) 1700. For example, TCP/UDP port num- 

standard) ^ch as Ethernet, FDD! or Token Ring, that corresponds to the Hypertext Transport Protocol 

defines the functions performed by the data Unk and physica ^^^^ ^^^^ 21 corresponds to File Transfer 

layers of a communications architecture (i.e., a protocol protocol (FTP) service 

stack), such as the Open Systems Interconnection (OSI) 35 \ ) • 

Reference Model. In many instances, multiple LANs may be ALLOCAHON OF NETWORK RESOURCES 
interconnected by point-to-point links, microwave 

transceivers, satellite hookups, etc., to form a wide area Computer networks include numerous services and 
network ("WAN'*), metropolitan area network ("MAN") or resources for use in moving traf&c throughout the network, 
intranet. These internetworks may be coupled through one or 40 For example, different network links, such as Fast Ethernet, 
more gateways to the global, packet-switched internetwork Asynchronous Transfer Mode (ATM) channels, network 
known as the Internet. tunnels, satellite links, etc., offer tmique speed and band- 
Each network entity preferably includes network commu- capabiUties. Particular intermediate devices also 
nication software, which may operate in accordance with include specific resources or services, such as number of 
Transport Control Protocol/Internet Protocol (TCP/IP). 45 priority queues, filter settings, availability of different queue 
TCP/IP generally consists of a set of rules defining how selection strategies, congestion control algorithms, etc. 
entities interact with each other. In particular, TCP/IP defines Individual frames or packets can be marked so that 
a series of communication layers, including a transport layer intermediate devices may treat them in a predetermined 
and a network layer. At the transport layer, TCPAP includes manner. For example, the Institute of Electrical and Elec- 
both the User Data Protocol (UDP), which is a connection- 50 tronics Engineers (IEEE) describes additional information 
less transport protocol, and TCP which is a reliable, for the MAC header of Data Link Layer frames in Appendix 
connection-oriented transport protocol. When a process at 802 .Ip to the 802. ID bridge standard, 
one network entity wishes to communicate with another FIG. lA is a partial block diagram of a Data Link firame 
entity, it formulates one or more messages and passes them 100 that includes a MAC destination address (DA) field 102, 
to the upper layer of the TCP/IP communication stack. These 55 a MAC source address (SA) field 104 and a data field 106. 
messages are passed dovm through each layer of the stack According to the 802 .IQ standard, a user__priority field 108, 
where they are encapsulated into packets and fi-ames. Each among others, is inserted after the MAC SA field 104. The 
layer also adds information in the form of a header to the user_priority field 108 may be loaded with a predetermined 
messages. The frames are then transmitted over the network value (e.g., 0-7) that is associated with a particular 
links as bits. At the destination entity, the bits are eo treatment, such as background, best effort, excellent effort, 
re-assembled and passed up the layers of the destination etc. Network devices, upon examining the userjriority 
entity's communication stack. At each layer, the correspond- field 108 of received Data Link frames 100, apply the 
ing message headers are also stripped off, thereby recovering corresponding treatment to the frames. For example, an 
the original message which is handed to the receiving intermediate device may have a plurality of transmission 
process. 65 priority queues per port, and may assign frames to different 
One or more intermediate network devices are often used queues of a destination port on the basis of the frame's user 
to couple LANs together and allow the corresponding enti- priority value. 
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FIG. IB is a partial block diagram of a Network Layer to a particular task, transaction or operation (e.g., a print 

packet 120 corresponding to the Internet Protocol. Packet transaction) and may be identified by various network and 

120 includes a type_oL_service (ToS) field 122, a protocol transport parameters, such as source and destination IP 

field 124, an IP source address (SA) field L26, an IP addresses, source and destination TCP/UDP port numbers, 

destination address (DA) field 128 and a data field 130. The 5 transport protocol. 

ToS field 122 is used to specify a particular service to be The treatment that is applied to different traffic flows may 

applied to the packet 120, such as high reliability, fast vary depending on the particular traffic flow at issue. For 

delivery, accurate delivery, etc., and comprises a number of example, an online trading application may generate stock 

sub-fields. The sub-fields may include a 3-bit IP precedence ^^ote messages, stock transaction messages, transaction 

(IPP) field and three one-bit flags that signify Delay, lO ^^^^^ messages, corporate financial information messages, 

Tliroughput, and Reliability, By setting the flags, a device P"°^ messages, data backup mes^ges, etc. A network 

may indicate whether delay, throughput, or reliabihty is admimstrator may msh to apply a different pohcy o 

most important for the traffic associated with the packet. treamiem "quahty of service or ^'QoS -) to each traffic flow 

Version 6 of the Internet Protocol (Ipv6) defines a traffic particular, the network adnam^trator may want a stock 

class field, which is also intended to be used for defining the 15 ^^^^ "^^^^ge to be given higher priority than a print 

type of service to be applied to the associated packet. transaction. Similarly, a $1 miUion stock transacUon mes- 

- . _ _ . . ^ , sage for a premium chent should be assigned higher pnonty 

n^°l^ ^'""V ^ T-r lTt^'i^^ ^ SlOO transaction message for a standard cus- 

(IETF) has proposed replacmg the ToS field 122 of Network tomer 

Layer packets 120 with a one-octet differentiated services 

(DS) field 132 that can be loaded with a differentiated 20 DEFIQENCIES OF PAST APPROACHES 

services codepoinL Layer 3 devices that are DS compliant Currently, application programs that execute in network 

apply a particular per-hop forwarding behavior to data devices rarely invoke QoS functions, and therefore they do 

packets based on the contents of their DS fields 132. not take full advantage of QoS features that are available in 

Examples of per-hop forwarding behaviors include expe- the network devices. 

dited forwarding and assured forwarding. The DS field 132 25 ^^^^ intermediate network devices can distinguish 
is typically loaded by DS compHant intermediate devices ^^^^^^ multiple traffic flows and can apply different QoS to 
located at the border of a DS domain, which is a set of DS ^he flows. Generally, QoS may be applied by such network 
comphant intermediate devices under common network devices based on the IP address or port number associated 
administration. Thereafter, interior DS compHant devices ^^i^ ^ traffic flow. This approach has several advantages. It 
along the path apply the corresponding forwarding behavior 30 ^ centralized, it works with multiple appHcations, and it is 
to the packet 120. application independent. However, there are also significant 
FIG. IC is a partial block diagram of a Tran:^ort Layer disadvantages. It is based on limited or no knowledge of 
packet 150 that preferably includes a source port field 152, application traffic flows. A network manager cannot define 
a destination port field 154, and a data field 156, among and apply QoS poUdes for individual applications. It has 
others. Fields 152, 154 preferably are loaded with the TCP only Umited applicability to encrypted packets, 
or UDP port numbers that are utilized by corresponding [q another known approach, applications use QoS signal- 
network entities. ing mechanisms, such as RSVP or differentiated services 

SERVICE LEVEL AGREEMEKIS ^ ^L^; I'^^tl'. t S I'^'^^^i^l I 

To interconnect dispersed computer networks, many orga- request for service that includes additional information to 

nizations rely on the infi"astructure and facilities of Internet help a network device decide how to apply QoS. This 

Service Providers (ISPs). For example, an organization may approach can take advantage of detailed knowledge of 

lease one or more Tl lines to interconnect various LANs. different traffic flows produced by an application. However, 

Each organization enters into a service-level agreement with there is no way to determine whether the RSVP requests 

its ISP. The service level agreements include one or more comply with network-wide policies. The result is that the 

traffic specifications. The trafiBc specifications may place devices are of ten configured to ignore the signaling and treat 

Kmits on the amount of resources that the organization may all traffic equally. 

consume for a given price. Another problem with RSVP signahng is that it involves 
For example, an organization may agree not to send traffic 50 signahng overhead, and generally cannot work with appli- 
that exceeds a certain bandvridth, e.g., 1 Mb/s. Traffic cations that generate short-lived flows. By the time the 
entering the service provider's network is monitored to signahng gets to the network device, the flow may be over, 
ensure that it complies with the relevant tra£5c ^ecifications Still another approach is IP precedence, in which a value 
and is thus "in profile." Traffic that exceeds a traffic is placed in a sub-field of the IP Type of Service field. Tliis 
specification, and is therefore "out of profile," may be 55 provides even less granular QoS control than DS. 
dropped or shaped or may cause an accounting change. Thus, current approaches do not adequately extend net- 
Alternatively, the service provider may mark the traffic as work device QoS features to multiple applications. These 
exceeding the traffic specification, but allow it to proceed approaches do not integrate the application into the network 
through the network anyway. If there is congestion, an and do not enable the apphcation to classffy its flows 
intermediate network device may drop such marked traffic 50 according to application-specific information, 
first in an effort to reheve the congestion. Further, it is difficult to track applications that use 



MULTIPLE TRAFFIC FLOWS 



dynamic port nimibers, such as FTP. While some network 
devices can track applications with dynamic port numbers to 
A process executing at a network entity may generate a limited extent, provided that the protocols are well known 
hundreds or thousands of traffic flows that are transmitted 6S and simple, it is extremely difficult to track proprietary 
across a network. Generally, a traffic flow is a set of applications or protocols, or to track applications in envi- 
messages (frames and/or packets) that typically correspond ronments that use encrypted traffic. 
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Still another deficiency of prior approaches is that there is 
no clear separation of the tasks of policy definition and 
coofiguration among the typical enterprise network admin- 
istrator and the application manager. If a policy-based sys- 
tem is used but applications are not integrated into it, then 
problems may arise. Either a network administrator docs 
both policy definition and configuration, without adequate 
knowledge of the application, or an application manager 
carries out classification of application flows but does not 
know how the network will treat QoS requests of the 
application. 

Thus, there is a need for a mechanism that integrates 
applications into a policy-based networking system, and 
enables applications to participate in deciding how to apply 
a particular QoS to a traffic flow generated by the applica- 
tion. 

SUMMARY OF THE INVENTION 

The foregoing objects and advantages, and other objects 
and advantages that will become apparent from the follow- 
ing description, are achieved by the present invention, which 
comprises, in one embodiment, a method of selectively 
associating a quality of service value with a flow of infor- 
mation generated by an application program and directed to 
a network device. The method involves creating one or more 
mappings, each mapping representing an abstract policy and 
associating a pre-determined network quality of service with 
a traffic flow type of the flow of information and with an 
application program. Ihe mappings are stored in a reposi- 
tory that is accessible by the application program. The 
mappings arc converted into one or more settings of the 
network device, which enforces the policy in response to 
receiving traffic &om the application program that matches 
the traffic flow type. 

One feature of this embodiment is that creating and 
storing one or more mappings comprises registering one or 
more apphcation codepoints, which are associated with 
traffic flow types, in the repository. Another feature is that 
creating and storing one or more mappings comprises cre- 
ating and storing one or more policies, concerning network 
processing of traffic flows generated by the application 
program, in the repository in association with information 
identifying the application program. A related feature is that 
creating and storing one or more mappings comprises cre- 
ating and storing one or more policies, concerning network 
processing of Uraffic flows generated by the appHcation 
program, in a policy store that is coupled to the repository, 
in association with information identifying the application 
program. 

Still another feature is that creating and storing one or 
more mappings comprises creating and storing one or more 
policies, concerning network processing of traffic flows 
generated by the application program, in a directory. In one 
embodiment, creating and storing one or more mappings 
comprises creating and storing one or more policies, con- 
cerning network processing of traffic flows generated by the 
application program, in a policy server coupled to a Light- 
weight Directory Access Protocol directory that comprises 
the repository. 

According to another feature, creating and storing one or 
more mappings further comprises creating and storing, in 
the repository, one or more mappings of application code- 
points of the application program to one or more Differential 
Services Code Points of a protocol associated with the 
network device. A related feature is that creating and storing 
one or more mappings further comprises generating one or 
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more messages in a RSVP+ protocol and communicating the 
messages to the network device. 

In another feature, determining one or more processing 
policies comprises creating and storing one or more policy 

5 statements in a repository, wherein each policy statement 
associates a condition of one of the traffic flows, an operator, 
an operand, and an action comprising one of the quality of 
service treatments. Further, determining one or more pro- 
cessing policies may comprise creating and storing one or 

10 more policy statements in a repository. Each policy state- 
ment is represented by a plurality of nodes that represent a 
condition of one of the traffic flows, an operator, an operand, 
and an action comprising one of the quality of service 
treatments. 

In another feature, determining one or more processing 
policies comprises creating and storing one or more policy 
statements in a directory, wherein each policy statement is 
represented by a plm-ality of nodes that represent a condition 
of one of the traffic flows, an operator, an operand, and an 
action comprising one of the quafity of service treatments, 
and wherein the plurality of nodes is coupled to a root node 
having a distinguished name in the directory. Still another 
feature is that each of the mappings comprises an application 
codepoint value stored in associated with a differentiated 
services code point value. 

According to another feature, enforcing one of the pro- 
cessing policies comprises requesting an operating system 
function to modify a packet of the traffic flows using a poUcy 
element that requests a different operating system function 
according to the operating system then in use. At the 
network device, in response to receiving traffic firom the 
apphcation program that matches the traffic flow type and in 
response to the operating system function, the packet is 
^5 modified to activate a quality of service treatment of the 
network device. 

Other features and aspects will become apparent from the 
following detailed description. 

BRIEF DESCRIPTION OF THE DRAWINGS 

40 

The present invention is illustrated by way of example, 
and not by way of limitation, in the figures of the accom- 
panying drawings in which like reference numerals refer to 
similar elements and in which: 
^5 FIG. lA is a partial block diagram of a network message. 
FIG. IB is a partial block diagram of a network message. 
FIG. 1 C is a partial block diagram of a network message. 
FIG. 2 is a simplified block diagram of a computer 
50 network. 

FIG. 3 is a simplified partial block diagram of a local 
policy enforcer. 

FIG, 4 is a block diagram of a process of determining 
application quality of service information. 

FIG. 5 is a block diagram of a portion of a Repository that 
contains a Directory Schema. 

FIG- 6 A is a block diagram of a system that provides 
policy-based QoS treatment for application traffic flows. 

FIG. 6B is a block diagram of the system of FIG. 6A 
showing structures relating to multi-platform support. 

FIG. 7A is a flow diagram of steps of a configuration 
phase of operating the system of FIG. 6A and FIG. 6B. 

FIG. 7B is a flow diagram of steps of an active phase of 
65 operating the system of FIG. 6 A and FIG. 6B. 

RG. 8 is a block diagram of a computer system with 
which an embodiment may be carried out. 
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DETAILED DESCRIPTION OF THE switching functions. In one embodiment, devices 208, 210 

PREFERRED EMBODIMENT are. computers having transmitting and receiving circuitry 

, J r u J ^ r and components, including network interface cards (NICs) 

A method and apparatus for policy-based management of l- u *i fc u • L 

- z*^ , , r ^ 1 J * * «r a u estabUshmg physical ports, for exchangmg data frames, 

quality of service treatments of network data traflSc flows, by , , ■.• f 1 i j • r li • 

... .J .i_ J 5 Intermediate network device 210, moreover, preferably IS 

mtegrating policies with application programs, IS described. ^ , i i i- r iu * a 

1 .if r II • J ■ f f 1 *• configured as a local pobcy enforcer for traffic flows ongi- 

In the following description, for the purposes of explanation, . • iv j l j u i 

•c J * 1 J . -J natmg from server 222, as descnbed below, 

numerous speanc details are set forth m order to provide a ^ 

thorough understanding of the present invention. It will be Network 200 is iUustrated as an example only. Embodi- 

apparent, however, to one skilled in the art that the present ^^^^ disclosed m this document will operate with other, 

invention may be practiced without these specific details. In Possibly far more complex, network topologies. For 

other instances, well-known structures and devices arc example, repository 218 and network admimstrator station 

shown in block diagram form in order to avoid unnecessarily ^20 may be coupled direcUy or mdircctly to policy server 

obscuring the present invention. ^16 through zero or more mtermediate devices. 

OPERAHONAL CONTEXT is 2. LOCAL POLICY ENFORCER 

FIG. 3 is a block diagram of intermediate network device 
210, which is configured as a local policy enforcer and 

An embodiment of the invention is used in the context of therefore referenced using the same reference numeral, 

a network. FIG, 2 is a block diagram of a computer network Local policy enforcer 210 generally comprises a traffic flow 

200 that includes a pluraUty of local area networks 202, 204, ^ state machine engine 310 for maintaining flow states corre- 

206 interconnected by a plurality of intermediate network spending to server 222 traffic flows, as described below, 

devices 208, 210. A plurality of network end stations, such Local policy enforcer 210 may be present in any network 

as end station 212 and print server 214, are coupled to the device, or in any host. For example, local policy enforcer 

LANs. The network further includes at least one policy 210 may be implemented in a scheduler of a router or in a 

server 216 that may be coupled to a repository 218 and to a host module that enforces flows exiting a host, 

network administrator station 220, A server suitable for use The traffic flow state machine engine 310 is coupled to a 

as policy server 216 is any Windows NT® or UNIX work- communication engine 312. Communication engine 312 is 

station or similar computer platform. Network 200 also configured to formulate and exchange messages with the 

includes at least one host or server 222 configured in policy server 216 and flow declaration component 226 at 

accordance with the present invention. server 222. Thus, communication engine 312 includes or has 

Server 222 includes at least one application program or access to conventional circuitry for transmitting and receiv- 

process 224, a flow declaration component 226 and a ing messages over network 200. 

communication facility 228. The flow declaration compo- The traffic flow state machine engine 310 also is coupled 

nent 226 includes a message generator 230 that communi- 35 to several traffic management resources and mechanisms. In 

cates with the communication facility 228. Flow declaration particular, traffic flow state machine engine 310 is coupled 

component 226 also is coupled to an associated memory 232 to a packet/frame classifier 314, a traffic conditioner entity 

for storing one or more traffic flow data structures 234. The 316, a queue selector/mapping entity 318, and a scheduler 

application program 224 communicates with both commu- 320, The traffic conditioner entity 316 includes several 

nication facility 228 and, through application programming sub-components, including one or more metering entities 

interface (API) layer 236, to flow declaration component 322, one or more marker entities 324, and one or more 

226. Communication facility 228, in turn, is connected to shaper/dropper entities 326, The queue selector/mapping 

networic 200 by LAN 206. The server 222 also comprises entity 318 and scheduler 320 operate on the various queues 

conventional programmable processing elements, which established by local policy enforcer 210 for its ports and/or 

may contain software program instructions pertaining to the ^5 interfaces, such as queues 330fl-330e corresponding to 

methods of the present invention. Other computer readable interface 332. 

media may also be used to store the program instmctions. -j^^ ^^^^ "intermediate network device" broadly means 
Communication facility 228 preferably includes one or any intermediate device for interconnecting end stations of 
more software libraries for implementing a communication a computer network, including, without limitation. Layer 3 
protocol stack aUowing server 222 to exchange messages 50 devices or routers as defined by RFC 1812; intermediate 
with other network entities, such as end station 212, print devices that are partially compliant with RFC 1812; inter- 
server 214, etc. In particular, the communication facility 228 mediate devices that provide additional fimctions such as 
may include software layers corresponding to TCP/IP, Inter- Vutual Local Area Network (VLAN) support; and Layer 2 
net Packet Exchange (IPX) protocol, the AppleTalk intermediate devices such as switches and bridges, etc. 
protocol, the DECNet protocol and/or NetBIOS Extended 55 

User Interface (NetBEUI). Communication facility 228 fur- POLICY SYSTEM 
ther includes transmitting and receiving circuitry and 
components, including one or more network interface cards 

(NICs) that establish one or more physical ports to LAN 206 FIG. 6A is a block diagram of a system that provides 

or other LANs for exchanging data packets and frames. 50 policy-based QoS treatment for application traffic flows. 

Intermediate network devices 208, 210 provide basic Generally, the system of FIG. 6A comprises a Policy Server 

bridging functions including filtering of data traffic by MAC 604, a Repository 600, and an y^lication 608. 

address, "learning" of a MAC address based upon a source The Application 608 generally is an enterprise software 

MACaddressofaframe, and forwarding of the frame based application program that runs on a server computer. For 

upon a destination MAC address or route information field 65 example. Application 608 may comprise an Oracle® data- 

(RIF). They may also include an IP software layer and base system, a PeopleSofl® human resources system, or any 

provide route processing, path determination, and path other appHcation. Application 608 is coupled to Repository 
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600 and to an Application Manager 606, the functions of Alternatively, each network device 620 may communicate 

which are described further below. Application 608 is also directly with the Repository 600, without passing commu- 

coupled to a Ijocal Mapping 610, described below. nications through Policy Server 604. 

Repository 600 stores polices that are associated with A mapping may apply for all application instances, for all 
applications. Repository 600 may comprise a directory 5 application instances running on some subnet or on a single 

server, such as Netware Directory Server, Windows Active machine, or for a single instance identified by its IP address 

Directory, etc., or a database. Advantageously, use of a and source port number. The latter is useful, for example. 

Repository offers security. The format of the Repository is when several Web servers are running on the same host, 

known only to a network vendor that supplies the Thus, different mappings can be defined for the same 

Repository, or to a network administrator. Thus, only autho- Application Codepoints, depending on the particular instal- 

rized applications may access the Repository, The fonnat of lation instance. The mapping translates single application 

the Repository may be standardized, in which case any QoS requirements into policies or requests that are centrally 

application complying with the standards can get access to coordinated and in compliance with network-wide multi- 

the information. The Repository may be implemented as a application policies. 

table or information tree in a database or directory. Each is jp addition, each application instance may be associated 

directory or database can store many Repositories, each of with a role, or a combination of roles. Different mappings 

which stores different information. reflecting different policies may be associated with different 

ASchema stored in the Repository provides an integration roles. An application instance uses the mapping associated 

point and a common information model for communication with it according to its name, IP address, port number, or 

between Application 608 and Policy Server 604. Application role. 

608 extends the Schema by adding application-specific FIG. 6B is a block diagram of the system of FIG. 6A 

parameters to it. The extended Schema describes the appli- showing architectural details that provide multi-platform 

cation and its specific parameters. For example, the Schema support. As in FIG. 6A, Policy Server 604 and Application 

describes an Application Codepoint and its possible values, 608 are coupled to a repository, which in this embodiment 

When Application 608 is a Web server, the Schema is implemented in the form of an LDAP-compliant Directory 

describes a URL and its user name. Other examples of 601. Policy Server 604 and y^plication 608 communicate 

parameters include type of transaction; user identifier; appli- with Directory 601 using LDAP function calls, 

cation identifier; a text description; and others. Application 608 is tightly coupled to or integrated with an 

The application -specific parameters may be added application QoS policy element 609. In one embodiment, 

manually, for example, using a schema definition file that is element 609 is one or more software programs, processes, or 

uploaded into the Repository 600. In another embodiment, modules that can be linked to application 608 and called by 

the Repository 600 is a Directory Server compatible with the application. Element 609 implements the functions 

Lightweight Directory Access Protocol (LDAP), and the described herein including those of FIG, 7B. Element 609 

application-specific parameters are added dynamically using may communicate with Directory 601 using LDAP calls. 

LDAP. The precise mechanism for adding parameters is not Element 609 can set QoS services of a network device, for 

critical. What is important is that each appUcation contacts example, by setting DiffServ bits of packets of a flow of 

the Repository and declares one or more parameters thai the application 608, using functions of a UNIX operation sys- 

application will use for classification of QoS of network tcm 630 and a Windows NT operating system 632. Any other 
devices that handle traflSc flows generated by the applica- ^ operating system may be supported; UNIX and Windows 

lion. NT are illustrated merely as examples. In one embodiment. 

Policy Server 604 provides a mechanism by which a element 609 selectively and alternatively calls the "set- 
network administrator or manager may map application sockopt" function or "RAPI" function of UNIX, or the 
parameters into network services. A Network Administration GQoS or TC APIs of Endows NT to set QoS bits of packets 
Client 602 is coupled to Policy Server 604. A network 45 of a particular application flow. The "selsockopt** fimction is 
administrator may use Network Administration Client 602 used to activate DiffServ, and RAPI is used for RSVP, As a 
to communicate with Policy Server 604. Alternatively, Net- result, DiflEServ or RSVP+ information is created, as iodi- 
work Administration Client 602 may communicate directly catcd by Mode 634, The QoS information of block 634 is 
with the Repository. Each network service defines how an passed in packets of the flow to network device operating 
application should access it. For example, access may com- 50 system 622, In response, network device 620 applies a 
prise setting a DiffServ Code Point in the packets, by setting desired QoS to the flow. 

IP Precedence values in the packets, or by signaling using Advantageously, the architecture of FIG. 6B supports 

RSVP. An example of a commercial product suitable for use multiple platforms using APIs, provides policy integration 

as Policy Server 604 is Cisco Assure QoS Policy Manager using LDAP, and supports both DifEScrv and RSVP+. 
1.0, commercially available from Cisco Systems, Inc. 55 

' . „ . , , , , 2. OPERAnON OF THE SYSTEM 

Pohcy Server 604 is coupled to one or more network 

devices 620, each of which executes a network device Operation of the system of FIG, 6A or FIG. 6B generally 
operating system 622. An example of a network device 620 comprises two phases: a configuration phase and an opera- 
is a router and an example of a network device operating tion phase. The phases may execute in parallel, 
system 622 is lOS. Policy Server 604 configures the network 60 FIG. 7A is a flow diagram of steps that may be carried out 
devices 620 to implement the network services and to in the configuration phase. In block 702, ACPs associated 
correctly re^ond to signaling from Apphcation 608. For with an application are registered in a repository. For 
example, Policy Server 604 may map an Application Code- example, Application 608 registers one or more Application 
point to a DiffServ Code Point or IP precedence value. Such Codepoints in Repository 600. In one embodiment, ^pU- 
mappings of ACPs to DSCPs may be stored in Local 6S cation 608 directly registers ACPs in Repository 600. 
Mapping 610 so that they are immediately accessible to Alternatively, Application Manager 606 receives informa- 
Application 608 when it is executing in real time. tion about traffic flows from Application 608, classifies the 
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iraflBc flows into groups, maps the groups to ACPs, and 
registers the ACPs in Directory 600. 

In block 704, policies are established based on the ACPs 
that are registered in assodatioa with the application. In one 
embodiment, Network Administration Client 602 or a net- 
work manager receives the ACP values. The network man- 
ager need not receive information about Application 608 or 
its tiafSc flows, however, the network manager or Network 
Administration Client 602 normally has extensive knowl- 
edge about managed devices in the network and the QoS 
services and features that they support. In response, the 
network manager establishes policies that associate 
conditions, operators, and the ACP values with actions or 
services of the devices. The policies may implement Difif- 
Serv or RSVP strategies. The policies may be stored in a 
storage device. Definition and storage of policies may be 
carried out using Policy Server 604. 

In block 706, the ACPs are mapped to DiffServ Code 
Points and the resulting mapping is stored in a repository. 
For example. Policy Server 604 may use one or more LDAP 
calls to store mappings of ACP values to DSCP values in 
Repository 600. In the preferred embodiment, block 706 
also involves automatically storing the mappings in a Local 
Mapping that is associated with and accessible to the apph- 
cation when it is executing. 

FIG, 7B is a flow diagram of an active phase of operating 
the system. Application 608 executes. When an ACP is 
reached in execution of Application 608, the application 
calls its Local Mapping and passes it an ACP valxie associ- 
ated with the current ACP, as shown by block 708. 
Alternatively, the application fetches mapping information 
from the Repository. When the Repository is an LDAP 
Directory, the application may use LDAP caUs to fetch the 
information. In this embodiment, the application is modified 
or configured so that the application is LDAP-enabled, for 
example, by incorporating LDAP reference code or libraries. 

Block 708 may also involve the steps of processing the 
information received from the Repository for eflBcient 
lookup. In another embodiment, block 708 involves poUing 
the Repository for policy changes that are stored in the 
Repository after the mapping information is retrieved. 
Further, block 708 may involve listening for notification of 
policy changes. 

For each flow generated by the appUcation, this informa- 
tion is then used to map the application parameters attached 
to the flow into a concrete QoS decision and a signaling 
mechanism. For example, the process is notified by the 
application about the start of each flow, with its parameters, 
and this information is converted into QoS information 
usable by a network device. The simplest case is mapping 
one ACP into a DSCP value, as shown by block 710, and 
then setting a QoS value of packets of the flow, as shown by 
block 712. For example, a QoS value may be set by marking 
the flow packets using an appropriate operating system call 
to an existing QoS service, as shown by block 714. 

Alternatively, if the mapping information cannot be 
obtained or refreshed from the policy Repository, the appli- 
cation reverts to a backup mode of signaling the policy 
information itself, such as an ACP value, to the network 
device, e.g., using RSVP+, as shown by block 716. Thus, for 
short-lived flows, packets may be colored, whereas for 
long-lived flows, separate out-of-band messages may be 
used to establish QoS. 

Standard APIs provided by the network operating system 
are used to signal the network. For example, GQOS or RAPI 
may be used for RSVP signaling. The APIs "GQoS" and 
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"setsockopt" of the host operating system, such as UNIX or 
Windows®, may be used for DiflfiServ or IP Precedence 
marking. 

The appUcation and the policy system may use event 
5 services, such as CNS, to pubUsh and subscribe to event 
notifications regarding policy changes. Upon such events the 
application should download and use the new policies. 
Alternatively, the application can poU the policy repository. 
In block 718, the policy is enforced at a network device, 
10 based on information identifying the source of the padcel 
and the DSCP or RSVP+ vahie associated with the packet. 
In one embodiment, a service of lOS enforces the policy 
based on the values. 

The selection of DiflKerv or RSVP+ as a policy enforce- 
ment mechanism is a matter of network policy. DiflEServ is 
integrated in the network using the Repository described 
herein, with the defined Schema and LDAP for 
communications, and can handle all sessions, including 
short-lived flows. RSVP+ is integrated using a network 
device that supports RSVP+. It enables signaling QoS 
information fix)m non-core or third-party applications, and is 
weU suited for use with non-trusted hosts. 

3. USER MODEL 

25 

Using the system and process described above, network 
applications may request network QoS based on application- 
specific parameters. A network manager maps the 
application-specific parameters into concrete network ser- 
vices. However, this approach requires the network manager 
to be familiar with the apphcation-specific parameters and 
what they mean. Some applications are complex, such as 
Enterprise Resource Planning ("ERF') applications, and 
require deep knowledge and expertise to operate properly. 

22 The network manager may not have such expertise. Nor- 
mally such expertise resides with an application manager or 
information technology manager of the organization that is 
using the application. 

FIG. 4 is a block diagram of a process of determining 

40 application-specific network QoS information. The process 
of FIG. 4 partitions decision-making about application QoS 
among an applications manager 420 and a network manager 
422 in a manner that aUows distributed decision-making yet 
is simple for the network manager to control. 

45 >^jphcations manager 420 is an individual who has exper- 
tise operating a particular application. Examples of appli- 
cations include databases, ERP applications, sales force 
automation applications, human resources applications, etc. 
Applications manager 420 receives extensive application 

50 information 402 that defines, among other things, the types 
of network messages, trafiSc and flows that are generated by 
the appUcation in operation. Applications manager 420 
makes an application decision 404, resulting in creating one 
or more application classes 406 that categorize the 

55 messages, traffic and flows into a smaUer number of groups. 
For example, application information 402 might inform 
applications manager 420 that a particular application gen- 
erates eight (8) different kinds of log and warning error 
messages. The applications manager may decide to classify 

60 all such messages as "medium'* priority traffic. 

The mapping of application information to application 
classes may be represented by creating and storing one or 
more AppUcation Codepoints (ACPs) 426. Thus, the appU- 
cation pre-defines a set of appUcation classes or /^Ucation 

65 Codepoints 426. The ACPs identify and define one or more 
types of traffic flows or classes that are produced by appU- 
cation. ACPs may define application flows in a static 
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manDer, for example, according to intrinsic application 
parameters. For example, one ACP value may be associated 
with all traflEc generated by a specific application module. 
Another ACP may identify batch trafiSc, and another may 
identify transactional traffic. 

Table 1 provides one example of a mapping of ACPs to 
priority descriptions. 

TABLE 1 



ACP 


DESCRIPTION 


1 


HIGH PRIORITY 


2 


MEDIUM PRIORITY 


3 


NORMAL PRIORITY 


4 


LOW PRIORITY 


Table 2 provides another example of a mapping of ACPs 


to application traffic Qow description. 




TABLE 2 


ACP 


DESCRIPTION 


1 


FINANCE TRANSACTION 


2 


FINANCE REPOPTING 


3 


HR TRANSACTION 


4 


HR REPORTING 



10 



15 



20 



Sequential AC? values are shown in Table 1 and Table 2, 
however, an ACP may have any value, according to any 
order. Any number of ACP values may be defined. The 30 
number of ACPs that are defined depends upon the level of 
detail ("granularity**) of control that is desired for traffic 
flows of an application. 

To establish ACPs 426 for an application^ an application 
manager 420 may edit a configuration file that maps ACP 35 
values to application flows. For example, application man- 
ager 420 could be a Webmaster who prepares a configuration 
flle that maps URLs and users into pre-defined application 
classes such as High, Medium, and Low. Alternatively, 
application manager 420 is an individual who uses a man- 49 
agement console provided with the application to control 
how application flows are mapped into different ACPs. 

Network manager 422 is an individual having expertise in 
configuring, operating, and maintaining a network, such as 
network 200 of FIG. 2. Network manager 422 receives the 45 
application classes 406 and, based on the network manager's 
accumulated expertise in network operations, makes a net- 
work decision 408 that maps each of the application classes 
406 into one or more network classes 410. The network 
classes 410 represent a mapping of a specific QoS for the 50 
network, typically in terms of DSCPs or RSVP+ messages. 
For example, the network manager 422 may decide to map 
the High class of traffic to DSCP "52." 

Table 3 is an example of a mapping of ACP values to 
policy values. 55 

TABLES 



ACP DESCRIPTION 


DSCP VALUE 


FINANCE TRANSACnON 


50 


FINANCE REPORTING 


32 


HR TRANSACTION 


32 


HR REPORTING 


24 



60 



A mapping of the type shown in Table 3 is created and stored 65 
for each application. Accordingly, the ACP Description 
values will differ according to the application. 



Preferably, such mappings are stored in the Repository in 
the manner described in this document. The mappings may 
be created and stored using an external application program. 
Preferably, the program creates and stores a default policy 
value, e.g., a default DSCP value, when no mapping is 
created for a particular ACP value. This simplifies the 
mapping process. 

Both network manager 422 and applications manager 420 
may be influenced by external management 424 and its 
policies and procedures. 

In operation, the application consults with the policy 
system in order to complete the mapping from the ACPs into 
network services, for example, into DSCP values. Generally, 
such mapping is stored in the Repository. The policy man- 
ager uses the policy system to store the mappings in the 
Repository, and an application uses an access protocol such 
as LDAP to retrieve a mapping from the Repository. 

The mapping from ACPs to network services may be 
communicated between applications manager 420 and net- 
work manager 422 using a Service Level Agreement (SLA). 
Generally, SLAs define the types of services provided by the 
network along with their characteristics, their limitations, 
and how to activate them. For example, an SLA might 
indicate, in part, that bandwidth of more than 20Kbps may 
be obtained by using the DSCP value "43". Advantageously, 
applications manager 420 only needs to prepare a mapping 
of an application function into an ACP and may ignore 
details of the network services that are used to achieve a 
particular QoS. Further, network manager 422 only needs to 
prepare a mapping of ACPs to network services and need not 
know or consider the application functions that are handled. 

As a result, network manager 422 considers only groups 
or classes of application traffic flow and need not know or 
consider a much larger set of application functions that fall 
into such groups or classes. Minimizing the number of ACPs 
will optimize the local policy matching process. Further, 
flexibility and granularity in decision-making are supported, 
because the application manager 420 may consider all 
application parameters and permutations before determining 
appUcation policies. Accordingly, application managers may 
participate in the dedsion process pertaining to QoS for 
applications. A network administrator may control even the 
most complicated appUcations, which might involve many 
application -specific parameters and require extensive 
application-^cific expertise. 

4. INFORMATION MODEL 

In an embodiment, the Repository stores one or more 
Policy Statements. Each Policy Statement applies to a spe- 
cific application, and may be specific to a logical instance of 
the application. It describes a condition and a network 
service to be applied for traffic matching that condition. A 
Policy Statement may comprise a general Boolean expres- 
sion of its underlying policy conditions. 

Each condition describes a subset of traffic flows of the 
application. Each condition comprises basic condition com- 
ponents. Each basic condition comprises a basic pplicy 
parameter identifier, an operator and an operand. Policy 
identifiers may be application-specific. Each pohcy identi- 
fier has a pre-defined type such as string, integer, or enu- 
merated value. For example, a policy identifier may be 
"URL"; an operator may be "contains"; and an operand may 
be "www.cisco.com'*. 

A plurality of global, pre-defined Policy Identifiers are 
stored. Pre-defined Policy Identifiers include source and 
destination IP address, source and destination port niunbers, 
protocol, application identifier, and ACP. Application- 
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Specific policy identifiers are added to the Repository storing temporary variables or other intermediate informa- 

manually, or by a configuration file provided by the tion during execution of instructions to be executed by 

application, or by program calls using standard protocols processor 804. Computer system 800 further includes a read 

such as LDAR only memory (ROM) 808 or other static storage device 

FIG. 5 is a block diagram of a portion of a Repository that 5 coupled to bus 802 for storing static information and instruc- 

contains a Directory Schema 500. The Directory Schema tions for processor 804. A storage device 810, such as a 

500 may represent the topology of a managed network or magnetic disk or optical disk, is provided and coupled to bus 

other directory information useful in network management. 802 for storing information and instructions. 

A Root node 502 is coupled to Directory Schema 500. In this Computer system 800 may be coupled via bus 802 to a 

context, "Root" means that node 502 is the topmost node for lO display 8L2, such as a cathode ray tube (CRT), for displaying 

a set of nodes that represent Policy Statements. The Root information to a computer user. An input device 814, includ- 

node 502 may have a Distinguished Name in the Directory ing alphanumeric and other keys, is coupled to bus 802 for 

Schema 500 of the type defined in the Intemational Tele- communicating information and command selections to 

communications Union (ITU) X.400 standard. processor 804. Another type of user input device is cursor 

As shown in FIG. 5, Root node 502 is coupled to a control 816, such as a mouse, a trackball, or cursor direction 
plurality of Application nodes 504A, 504B, 504C. There keys for communicating direction information and corn- 
may be any number of Application nodes. Each Application mand selections to processor 804 and for controlling cursor 
node represents a particular application program that is used movement on display 812. This input device typically has 
in the managed network. Child nodes of an Application node two degrees of freedom in two axes, a first axis (e.g., x) and 
represent policies that are associated with that application, a second axis (e.g., y), that allows the device to specify 

Each Policy Statement in the Repository comprises stored positions in a plane, 
information that represents a condition and an action The invention is related to the use of computer system 800 
involved in the policy. For example, y^pUcation node 504A for policy-based management of quality of service treat- 
is coupled to two Condition nodes 506A, 506B. Each ments of network data traffic flows by integrating policies 
condition comprises a parameter, an operator, and an oper- ^ with application programs. According to one embodiment of 
and. For example, a parameter may be a range of AC? the invention, policy-based management of quality of ser- 
values, or one or more URL statements that conuin strings. vice treatments of network data traffic flows by integrating 
Each operator is a comparison such as equal to, greater than, policies with application programs is provided by computer 
less than, in range, etc. Each condition evaluates to a system 800 in response to processor 804 executing one or 
Boolean value. more sequences of one or more instructions contained in 

Conditions are joined by Boolean operators. For example, n^^in memory 806. Such instructions may be read into main 

Condition node 506A is coupled to Condition node 506B by memory 806 from another computer-readable medium, such 

an AND operator 508. There may be any number of Con- asstorage device 810. Execution of the sequences of instruc- 

dition nodes and any number of operators. ^ons contained in main memory 806 causes processor 804 

The Repository is associated with a list of network to perform the process steps described herein. In alternative 

services that are implemented by the system. The list of embodunents, hard-wired circuitry may be used m place of 

services stores abstract definitions of services that are later °^ combmaUon with software instructions to miplement 

translated into a specific configuration of a network device. ? ^ invention. Thus, embodiments of the mvention arc not 

Examples of services include delay, guaranteed bandwidth, 40 ^^^^^ed any specific combmation of hardware circuitry 

a queuing type on a router interface, etc. The services in the software. 

list also define signaling mechanisms that may be used for The l^nn "computer-readable medium" as used herein 

accessing the service, for example, by using a specific DSCP refers to any medium that participates in providing instnic- 

or IP Precedence value. tions to processor 804 for execution. Such a medium may 

Each Policy Statement terminates in an Action. For 45 "'^"^ including but not limited to, non-volatile 

example. Condition nodes 506A, 506B terminate at Action ^"^^^ ^o^^^*^ "^^^i^* transmission media. Non-volatile 

node 510. Each Action node represents an action to apply to ^^^^ includes, for example, optical or magnetic disks, such 

network devices when an associated application generates a ^ storage device 810. Volatile media includes dynamic 

traffic flow such that the Policy Statement evaluates to memory, such as main memory 806. Transmission media 

TRUE. An Action node may store information that indicates, 50 includes coaxial cables, copper wire and fiber optics, includ- 

for example, that network devices must service the flow mg the wires that comprise bus 802. Transmission media can 

using DSCP or IPP acoustic or light waves, such as those 

„ u • 1 * J • *u r t! generated during radio-wave and infira-red data communi- 

The Repository may be implemented in the form of a . ® 

Directory Server, in a database, or using one or more files ^ ^° 

expressed in an Interface Definition Language (IDL). 55 Common forms of computer-readable media include, for 

example, a floppy disk, a flexible disk, hard disk, magnetic 

HARDWARE OVERVIEW tape, or any other magnetic medium, a CD-ROM, any other 

FIG. 8 is a block diagram that illustrates a computer optical medium, punchcards, papertape, any other physical 

system 800 upon which an embodiment of the invention medium with patterns of holes, a RAM, a PROM, and 

may be implemented. Computer system 800 includes a bus 60 EPROM, a FLASH-EPROM, any other memory chip or 

802 or other communication mechanism for communicating cartridge, a carrier wave as described hereinafter, or any 

information, and a processor 804 coupled with bus 802 for other medium from which a computer can read, 

processing information. Computer system 800 also includes Various forms of computer readable media may be 

a main memory 806, such as a random access memory involved in carrying one or more sequences of one or more 

(RAM) or other dynamic storage device, coupled to bus 802 65 instmctions to processor 804 for execution. For example, the 

for storing information and instmctions to be executed by instmcdons may initially be carried on a magnetic disk of a 

processor 804. Main memory 806 also may be used for remote computer. The remote computer can load the instruc- 
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tioos into its dynamic memory and send the instructions over creating one or more mappings, each mapping represent- 

a telephone line using a modem. A modem local to computer . . ing an abstract policy and associating a pre-determined 

system 800 can receive the data on the telephone line and network quality of service with a trafiSc flow type of the 

use an infra-red transmitter to convert the data to an infra-red flow of iofomaation and with an application program; 

signal. An infra-red detector can receive the data carried in 5 storing the mappings in a repository that is accessible by 

the infra-red signal and appropriate circuitry can place the the application program; 

data OD bus 802. Bus 802 carries the data to main memory converting the mappings into one or more settings of the 

806, from which processor 804 retrieves and executes the ^^^^^^^ ^^^-^^ ^^^^ used by the network device 

insuiicuons The instructions received by main memory 806 ^^^^^^ ^ ^^^^^^y. ^^^-^^ ^ 

may optionally be stored on storage device 810 either before application program that 

or after execution by pmcessor 804. matches the traffic flow type. 

Computer system 800 al^ mdudes a communication ^ ^ ^^^^^ ^^^^^^ ^{^^ ^ ^^^^^ ^^^^ 

mterface 818 coupled to bus 802. Communication interface . . . . ^ . ° 

oto -J ^ J* • *• 1- ♦ slorme one or more mappmgs compnses registerme one or 

818 provides a two-way data communication coupling to a * . , .f, ^ . =• , 

network Unk 820 that is connected to a local network 822. °^°L^ apphcation codepoints, which are associated with 

For example, communication interface 818 may be an ^VPCs, m the repository 

integrated services digital network GSDN) card or a modem 3, A method as recited m claim 1, whcrcm crcaUng and 

to provide a data communication connection to a corre- stormg one or more mappings comprises creating and stor- 

sponding type of telephone line. As another example, com- ing one or more policies, concerning network processing of 

municatioD interface 818 may be a local area network traflSc flows generated by the application program, in the 

(LAN) card to provide a data communication connection to 20 repository in association with information identifying the 

a compatible LAN. Wireless links may also be implemented. application program. 

In any such implementation, communication interface 818 4. A method as recited in claim 1, wherein creating and 

sends and receives electrical, electromagnetic or optical storing one or more mappings comprises creating and stor- 

signals that carry digital data streams representing various ing one or more policies, concerning network processing of 

types of information. 25 traBBc flows generated by the application program, in a 

Network link 820 typically provides data communication policy store that is coupled to the repository, in association 

through one or more networks to other data devices. For with information identifying the application program, 

example, network link 820 may provide a conneaion 5. a method as recited in claim 1, wherein creating and 

through local network 822 to a host computer 824 or to data storing one or more mappings comprises creating and stor- 

equipment operated by an Internet Service Provider (ISP) 30 i^g one or more policies, concerning network processing of 

826. ISP 826 in turn provides data communication services flows generated by the application program, in a 

through the world wide packet data communication network directory. 

now commonly referred to as the "Internet" 828. Local 5 ^ method as recited in claim 1, wherein creating and 

network 822 and Internet 828 both use electrical, electro- storing one or more mappings comprises creating and stor- 

magnetic or optical signals that carry digital data streams. 35 ^j- policies, concerning network processing of 

The signals through the various networks and the signals on fl^,^ generated by the application program, in a 

network link 820 and through communication interface 818, ^^^^^^ ^^^^ coupled to a Lightweight Directory Access 

which can-y the digital data to and from computer system Protocol directory that comprises the repository. 

800, are exemplary forms of carrier waves transporting the 7 ^ method as recited in claim 1, wherein creating and 

information. 4q storing one or more mappings further comprises creating 

Computer system 800 can send messages and receive and storing, in the repository, one or more mappings of 

data, including program code, through the network(s), net- application codepoints of the application program to one or 

work link 820 and communication interface 818. In the more Differential Services Code Points of a protocol asso- 

Intemet example, a server 830 might transmit a requested ciated with the network device. 

code for an appUcation program through Internet 828, ISP 45 g. a method as recited in claim 1, wherein creating and 
826, local network 822 and communication interface 818, In storing one or more mappings further comprises generating 
accordance with the invention, one such downloaded appU- one or more messages in a RSVP+ protocol and communi- 
cation provides for policy-based management of quality of eating the messages to the network device, 
service treatments of network data traffic flows by integrat- 9. a method as recited in claim 1, wherein the abstract 
ing policies with application programs as described herein. 50 policy for each mapping is determined by creating and 

The received code may be executed by processor 804 as storing one or more policy statements in a repository, 

it is received, and/or stored in storage device 810, or other wherein each policy statement associates a condition of one 

non-volatile storage for later execution. In this manner, of the traffic flows, an operator, an operand, and an action 

computer system 800 may obtain apphcation code in the comprising a quality of service treatment, 

form of a carrier wave. 55 10. A method as recited in claim 1, wherein the abstract 

In the foregoing specification, the invention has been policy for each mapping is determined by creating and 

described with reference to specific embodiments thereof. It storing one or more pohcy statements in a repository, 

will, however, be evident that various modifications and wherein each policy statement is represented by a plurality 

changes may be made thereto without departing from the ofnodes that represent a condition of one of the traffic flows, 

broader spirit and scope of the invention. The specification 60 an operator, an operand, and an action comprising a quality 

and drawings are, accordingly, to be regarded in an illus- of service treatment. 

trative rather than a restrictive sense. 11. A method as recited in claim 1, wherein the abstract 

What is claimed is: policy for each mapping is determined by creating and 

1. A method of selectively associating a quahty of service storing one or more policy statements in a directory, wherein 

with a flow of information generated by an application 65 each policy statement is represented by a plurality of nodes 

program and directed to a network device, comprising the that represent a condition of one of the trafiGc flows, an 

steps of: operator, an operand, and an action comprising a quality of 
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service treatment, and wherein the plurality of nodes is repository, in association with information identifying the 

coupled to a root node having a distinguished name in the application program. 

directory. 19. A computer-readable medium as recited in claim 15, 

12. A method as recited in claim 1, wherein each of the wherein creating and storing one or more mappings com- 
mappings comprises an application codepoint value stored 5 P^ses creating and storing one or more policies, concerning 
in associated with a differentiated services code point value. network processing of traffic flows generated by the appli- 

13. A method as recited in claim 1. wherein the abstract cation program, in a directory. 

policies are enforced by creating and storing messages 20. A computer-readable medium as recited m claun 15, 

requesting an operating system function to modify a packet wherein creating and storing one or more mappings com- 

of the traffic flows using a policy element that requests a lo P"ses creating and storing one or more policies, concerning 

different operating system function according to the operat- network processing of traffic flows generated by the appU- 

ing system then in use; and at the network device, in cation program, in a policy server coupled to a Ughtweighl 

response to receiving traffic from the application program Directory Access Protocol directory that comprises the 

that matches the traffic flow type and in response to the repository. 

operating system function, modifying the packet to activate is 21. A computer-readable medium as recited in claim 15, 

a quality of service treatment of the network device. wherein creating and stormg one or more mappmgs further 

14. A method of selectively associating a quality of comprises creating and storing , in the repository, one or 
service with a flow of information generated by an appUca- mappings of application codepoints of the appHcation 
tion program and directed to a network device, comprising program to one or more Differential Services Code Points of 
the steps of* 20 ^ protocol associated with the network device. 

creating one or more mappings, each mapping associating ^l. A computer-readable medium as recited in clato 15, 

a pre-determined network quality of se^ice with a ^"^^^^^ """""S ^'"""S °' """^ mappings further 

traffic flow type of the flow of information and with an ''°"'P"*^ generaUng one or more messages m a RSVP+ 

appUcation program; protocol and commumcatmg the messages to the network 

storing the mappings in a schema of a directory that is « ^^'^a computer-readable medium as recited in claim 15. 

accesable by the application program, the schema ^^^^-^ ^y. ^^^^ ^ ^^^i^ ^3 determined 

mcludmg a root node associated with the mappmgs of ^j^^g „^ „^ statements in a 

each application; repository, wherein each policy statement associates a con- 
converting the mappings into one or more settings of the dition of one of the traffic flows, an operator, an operand, and 

network device; an action comprising a quality of service treatment, 

enforcing the quality of service at the network device in 24. A computer-readable medium as recited in claim 15, 

response to receiving trafBc from the appUcation pro- wherein the abstract pohcy for each mapping is determined 

gram that matches the traffic flow type. by creating and storing one or more policy statements in a 

15. A computer-readable medium carrying one or more repository, wherein eada policy statement is represented by 
sequences of instructions for selectively associating a qual- a plurahty of nodes that represent a condition of one of the 
ity of service with a flow of information generated by an traffic flows, an operator, an operand, and an action com- 
application program and directed to a network device, prising a quality of service treatment. 

wherein execution of the one or more sequences of instruc- 25. A computer-readable medium as recited in claim 15, 

tions by one or more processors causes the one or more ^ wherein the abstract policy for each mapping is determined 

processors to perform the steps of: by creating and storing one or more policy statements in a 

creating one or more mappings, each mapping represent- directory, wherein each policy statement is represented by a 

ing an abstract policy and associating a pre-determined plurality of nodes that represent a condition of one of the 

network quality of service with a traffic flow type of the traffic flows, an operator, an operand, and an action com- 

flow of information and with an application program; 45 prising a quality of service treatment, and wherein the 

storing the mappings in a repository that is accessible by plurality of nodes is coupled to a root node having a 

the application program; distinguished name in the directory, 

converting the mappings into one or more settings of the ^6. A computer-readable medium as recited in claim 15, 

network device that may be used by the network device wherein each of the mappings comprises an application 

to enforce the policy at the network device in response 50 codepoint value stored in associated with a differentiated 

to receiving traffic from the application program that services code point value. 

matches the traffic flow type. 27. A computer-readable medium as recited m claun 15, 

16. A computer-readable medium as recited in claim 15, wherein enforcing one of the abstract policies comprises: 
wherein creating and storing one or more mappings com- requesting an operating system function to modify a 
prises registering one or more application codepoints, which 55 packet of the traffic flows using a policy element that 
are associated with traffic flow types, in the repository. requests a different operating system function accord- 

17. A computer-readable medium as recited in claim 15, ing to the operating system then in use; 

wherein creating and storing one or more mappings com- at the network device, in response to receiving traffic from 

prises creating and storing one or more policies, concerning the appHcation program that matches the traffic flow 

network processing of traffic flows generated by the appli- 60 type and in response to the operating system fimction, 

cation program, in the repository in association with infer- modifying the packet to activate a quality of service 

mation identifying the application program. treatment of the network device. 

18. A computer-readable medium as recited in claim 15, 28. A system for selectively associating a quality of 
wherein creating and storing one or more mappings com- service with a flow of information generated by an applica- 
prises creating and storing one or more policies, concerning 65 tion program and directed to a network device, comprising: 
network processing of traffic flows generated by the apph- a policy manager that creates one or more mappings, each 
cation program, in a policy store that is coupled to the mapping representing an abstract policy and associat- 
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iDg a pre-determined network quality of service with a 
traffic flow type of the flow of information and with an 
application program, wherein the mappings are stored 
in a repository that is accessible by the application 
program; 

a local storage element that converts the mappings into 
one or more settings of the network device that cause 
the network device to enforce the policy in response to 
receiving traffic from the application program that 
matches the traffic flow type. 

29. A system as recited in claim 28, the mappings com- 
prise one or more application codeproints that are associated 
with traffic flow types and registered in the repository. 

30. A system as recited in claim 28, wherein the mappings 
comprise one or more policies, concerning network process- 
ing of traffic flows generated by the application program, 
fliat are stored in the repository in association with infor- 
mation identifying the application program. 

31. A system as recited in claim 28, wherein the repository 
comprises a directory server. 

32. A system as recited in claim 28, wherein the mappings 
comprise one or more poUcies, concerning network process- 
ing of traffic flows generated by the application program, 
stored in a policy server coupled to a Lightweight Directory 
Access Protocol directory that comprises the repository. 

33. A system as recited in claim 28, wherein the mappings 
comprise one or more mappings, stored in the repository, of 
application codepoints of die application program to one or 
more Differential Services Code Points of a protocol asso- 
ciated with the network device. 

34. A system as recited in claim 28, further comprising 
one or more policy statements stored in the repository, 
wherein each policy statement associates a condition of one 
of the traffic flows, an operator, an operand, and an action 
comprising a quaUty of service treatment. 

35. A system as recited in claim 28, further comprising 
one or more policy statements stored in the repository, 
wherein each pohcy statement is represented by a plurality 
of nodes that represent a condition of one of the traffic flows, 
an operator, an operand, and an action comprising a quality 
of service treatment. 

36. A system as recited in claim 28, further comprising 
one or more policy statements stored in a directory, wherein 
each policy statement is represented by a plurahty of nodes 
that represent a condition of one of the traffic flows, ao 
operator, an operand, and an action comprising a quality of 
service treatment, and wherein the plurality of nodes is 
coupled to a root node having a distinguished name in the 
directory. 

37. A system as recited in claim 28, wherein each of the 
mappings comprises an application codepoint value stored 
in associated with a differentiated services code point value. 

38. A system as recited in claim 28, further comprising an 
application quality of service policy element configured for 
requesting an operating system function to modify a packet 
of the traffic flows using a policy element that requests a 
different operating system function according to the operat- 
ing system then in use and, at the network device, in 
response to receiving traffic from the application program 
that matches the traffic flow type and in response to the 
operating system &inction, modifying the packet to activate 
a quality of service treatment of the network device. 

39. An apparatus for selectively associating a quality of 
service with a flow of information generated by an applica- 
tion program and directed to a network device, comprising: 

means for creating one or more mappings, each mapping 
representing an abstract policy and associating a pre- 
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determined network quality of service with a traffic 
flow type of the flow of information and with an 
apphcation program; 
means for storing the mappings in a repository that is 
5 accessible by the application program; 

means for converting the mappings into one or more 
settings of the network device that may be used by the 
network device to enforce the policy at the network 
device in response to receiving traffic from the appb- 
20 cation program that matches the traffic flow type. 

40. An apparatus as recited in claim 39, wherein the 
means for creating and storing one or more mappings further 
comprises means for registering one or more application 
codepoints, which arc associated with traffic flow types, in 
the repository. 

^ 41. An apparatus as recited in claim 39, wherein the 
means for creating and storing one or more mappings further 
comprises means for creating and storing one or more 
policies, concerning network processing of traffic flows 
generated by the application program, in the repository in 

20 association with information identifying the application pro- 
gram. 

42. An apparatus as recited in claim 39, wherein the 
means for creating and storing one or more mappings further 
comprises means for creating and storing one or more 

25 policies, concerning network processing of traffic flows 
generated by the application program, in a policy store that 
is coupled to the repository, in association with information 
identifying the plication program. 

43. An apparatus as recited in claim 39, wherein the 
30 means for creating and storing one or more mappings further 

comprises means for creating and storing one or more 
policies, concerning network processing of traffic flows 
generated by the application program, in a directory. 

44. An apparatus as recited in claim 39, wherein the 
35 means for creating and storing one or more mappings fiirther 

comprises means for creating and storing one or more 
policies, concerning network processing of traffic flows 
generated by the application program, in a policy server 
coupled to a Lightweight Directory Access Protocol direc- 
40 tory that comprises the repository. 

45. An apparatus as recited in claim 39, wherein the 
means for creating and storing one or more mappings further 
comprises means for creating and storing, in the repository, 
one or more mappings of application codepoints of the 

45 application program to one or more Differential Services 
Code Points of a protocol associated with the network 
device. 

46. An apparatus as recited in claim 39, herein the 
means for creating and storing one or more mappings further 

50 comprises means for generating one or more messages in a 
RSVP+ protocol and communicating the messages to the 
network device. 

47. An apparatus as recited in claim 39, wherein the 
abstract policy for each mapping is determined by means for 

55 creating and storing one or more policy statements in a 
repository, wherein each policy statement associates a con- 
dition of one of the traffic flows, an operator, an operand, and 
an action comprising a quality of service treatment. 

48. An apparatus as recited in claim 39, wherein the 
60 abstract policy for each mapping is determined by means for 

creating and storing one or more policy statements in a 
repository, wherein each policy statement is represented by 
a plurality of nodes that represent a condition of one of the 
traffic flows, an operator, an operand, and an action com- 
es prising a quality of service treatment. 

49. An apparatus as recited in claim 39, herein the 
abstract policy for each mapping is determined by means for 



02/06/2004, EAST Version: 1.4.1 



us 6,466, 

23 

creating and storing one or more policy statements in a 
directory, wherein each policy statement is represented by a 
plurality of nodes that represent a condition of one of the 
traflBc flows, an operator, an operand, and an action com- 
prising a quahty of service treatment, and wherein the 5 
plurality of nodes is coupled to a root node having a 
distinguished name in the directory. 

50. Ad apparatus as recited in claim 39, wherein each of 
the mappings comprises an apphcation codepoint value 
stored in associated with a differentiated services code point 10 
value. 

51. An apparatus as recited in claim 39, wherein the 
abstract policies are enforced by: 

means for creating and storing messages requesting an 
operating system function to modify a packet of the ^5 
traffic flows using a policy element that requests a 
different operating system function according to the 
operating system then in use; and 

at the network device, in response to receiving traffic from 
the application program that matches the trafl&c flow 
type and in response to the operating system function, 
means for modifying the packet to activate a quality of 
service treatment of the network device. 

52. An apparatus for selectively associating a quality of 
service with a flow of information generated by an apphca- 
tion program and directed to a network device, comprisiog: 

a network interface; 

a processor coupled to the network interface and receiving 

information from the network interface; 30 
a computer-readable medium accessible by the processor 

and comprising one or more sequences of instructions 

which, when executed by the processor, cause the 

processor to cany out the steps of: 

creating one or more mappings, each mapping repre- 35 
scnting an abstract policy and associating a pre- 
determined network quality of service with a trafl&c 
flow type of the flow of information and with an 
application program; 

storing the mappings in a repository that is accessible 40 
by the application program; 

converting the mappings into one or more setting;^ of 
the network device that may be used by the network 
device to enforce the policy at the network device in 
response to receiving trafiSc from the application 45 
program that matches the trafiSc flow type. 

53. An apparatus as recited in claim 52, wherein the step 
of creating and storing one or more mappings includes the 
step of registering one or more application codepoints, 
which are associated with trafiSc flow types, in the reposi- 50 
tory. 

54. An apparatus as recited in claim 52, wherein the step 
of creating and storing one or more mappings includes the 
step of creating and storing one or more policies, concerning 
network processing of trafiflc flows generated by the appli- 55 
cation program, in the repository in association with infor- 
mation identifying the application program. 

55. An apparatus as recited in claim 52, wherein the step 
of creating and storing one or more mappings includes the 
step of creating and storing one or more policies, concerning 60 
network processing of traffic flows generated by the appli- 
cation program, in a policy store that is coupled to the 
repository, in association with information identifying the 
application program. 

56. An apparatus as recited in claim 52, wherein the step 65 
of creating and storing one or more mappings includes the 
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Step of creating and storing one or more policies, concerning 
network processing of traflSc flows generated by the appli- 
cation program, in a directory. 

57. An apparatus as recited in claim 52, wherein the step 
of creating and storing one or more mappings includes the 
step of creating and storing one or more policies, concerning 
network processing of trafl&c flows generated by the apph- 
cation program, in a pohcy server coupled to a Lightweight 
Directory Access Protocol directory that comprises the 
repository. 

58. An apparatus as recited in claim 52, wherein the step 
of creating and storing one or more mappings includes the 
step of creating and storing, in the repository, one or more 
mappings of apphcation codepoints of the apphcation pro- 
gram to one or more Differential Services Code Points of a 
protocol associated with the network device. 

59. An apparatus as recited in claim 52, wherein the step 
of creating and storing one or more mappings includes the 
steps of: 

generating one or more messages in a RSVP+ protocol; 
and 

communicating the messages to the network device. 

60. An apparatus as recited in claim 52, further compris- 
ing instructions for determining the abstract poUcy for each 
mapping by performing the step of creating and storing one 
or more pohcy statements in a repository, wherein each 
policy statement associates a condition of one of the traf&c 
flows, an operator, an operand, and an action comprising a 
quality of service treatment. 

61. An apparatus as recited in claim 52, further compris- 
ing instructions for determining the abstract pohcy for each 
mapping by performing the step of creating and storing one 
or more policy statements in a repository, wherein each 
policy statement is represented by a plurality of nodes that 
represent a condition of one of the traflSc flows, an operator, 
an operand, and an action comprising a quality of service 
treatment. 

62. An apparatus as recited in claim 52, further compris- 
ing instructions for determining the abstract pohcy for each 
mapping by performing the step of creating and storing one 
or more poUcy statements in a directory, wherein each pohcy 
statement is represented by a plurality of nodes that repre- 
sent a condition of one of the traflSc flows, an operator, an 
operand, and an action conoprising a quahty of service 
treatment, and wherein the plurality of nodes is coupled to 
a root node having a distinguished name in the directory. 

63. An apparatus as recited in claim 52, wherein each of 
the mappings comprises an apphcation codepoint value 
stored in associated with a differentiated services code point 
value. 

64. An apparatus as recited in claim 52, further compris- 
ing instructions for enforcing the abstract pohcies by per- 
forming the steps of: 

creating and storing messages requesting an operating 
system function to modify a packet of the traffic flows 
using a policy element that requests a different operat- 
ing system function according to the operating system 
then in use; and 

at the network device, in response to receiving traffic from 
the apphcation program that matches the traffic flow 
type and in response to the operating system function, 
modifying the packet to activate a quahty of service 
treatment of the network device. 

* 4 * * 
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